GHSA-RFH7-FXQC-Q52V @angular/platform-server: SSRF via Hostname Hijacking

Impact A Server-Side Request Forgery SSRF vulnerability exists in @angular/platform-server. The issue stems from how the server-side rendering SSR engine processes the request URL provided to the rendering entry points. When an absolute-form URL e.g., http://evil.com is passed to the rendering...

Server-side Request Forgery (SSRF)

Overview @angular/platform-server is an Angular - library for using Angular in Node.js Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the processing of absolute-form URLs in the server-side rendering engine. An attacker can redirect internal HTTP...

@angular/platform-server: SSRF via Hostname Hijacking

Impact A Server-Side Request Forgery SSRF vulnerability exists in @angular/platform-server. The issue stems from how the server-side rendering SSR engine processes the request URL provided to the rendering entry points. When an absolute-form URL e.g., http://evil.com is passed to the rendering...

@afd-software/angular-ng-autocomplete (=14.0.0), @angularexpert/my-workspace (=0.0.0) +146 more potentially affected by CVE-2026-46417 via @angular/platform-server (>=0.0.0-0 <=18.2.14)

@angular/platform-server NPM version =0.0.0-0, =5.0.0, =1.0.0, =0.0.1, =2.0.0, =0.0.6, =19.3.0, =1.5.0, =1.4.1, =1.5.2 - @nani-creative-labs/app-builder =1.0.0 - @nger/angular =1.0.3 and more Source cves: CVE-2026-46417 Source advisory: OSV:GHSA-RFH7-FXQC-Q52V...

PT-2026-41374

Name of the Vulnerable Software and Affected Versions @angular/platform-server versions prior to 22.0.0-next.12 @angular/platform-server versions prior to 21.2.13 @angular/platform-server versions prior to 20.3.21 @angular/platform-server versions prior to 19.2.22 Description A Server-Side Reques...

CVE-2026-41423

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8, a Server-Side Request Forgery SSRF vulnerability exists in @angular/platform-server due to improper...

CVE-2026-41423

Summary: CVE-2026-41423 corresponds to an SSRF vulnerability in @angular/platform-server during SSR, where URL handling can cause the server to treat the attacker’s domain as the local origin. This occurs when a crafted request (e.g., GET /evil.com/ HTTP/1.1) is passed to Angular’s rendering func...

CVE-2026-41423 Angular: SSRF via protocol-relative and backslash URLs in Angular Platform-Server

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8, a Server-Side Request Forgery SSRF vulnerability exists in @angular/platform-server due to improper...

Angular 代码问题漏洞

Angular is an open-source development platform created by Angular. It is used to build mobile and desktop web applications using TypeScript/JavaScript and other languages. There were code-related vulnerabilities in versions prior to Angular 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8. These...

GHSA-45Q2-GJVG-7973 Angular: SSRF via protocol-relative and backslash URLs in Angular Platform-Server

Impact A Server-Side Request Forgery SSRF vulnerability exists in @angular/platform-server due to improper handling of URLs during Server-Side Rendering SSR. When an attacker sends a request such as GET /\evil.com/ HTTP/1.1 the server engine Express, etc. passes the URL string to Angular’s...

@afd-software/angular-ng-autocomplete (=14.0.0), @angularexpert/my-workspace (=0.0.0) +146 more potentially affected by CVE-2026-41423 via @angular/platform-server (>=0.0.0-0 <=18.2.14)

@angular/platform-server NPM version =0.0.0-0, =5.0.0, =1.0.0, =0.0.1, =2.0.0, =0.0.6, =19.3.0, =1.5.0, =1.4.1, =1.5.2 - @nani-creative-labs/app-builder =1.0.0 - @nger/angular =1.0.3 and more Source cves: CVE-2026-41423 Source advisory: OSV:GHSA-45Q2-GJVG-7973...

Server-side Request Forgery (SSRF)

Overview @angular/platform-server is an Angular - library for using Angular in Node.js Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the URL parsing during Server-Side Rendering SSR. An attacker can cause the server to make arbitrary HTTP requests to...

Angular: SSRF via protocol-relative and backslash URLs in Angular Platform-Server

Impact A Server-Side Request Forgery SSRF vulnerability exists in @angular/platform-server due to improper handling of URLs during Server-Side Rendering SSR. When an attacker sends a request such as GET /\evil.com/ HTTP/1.1 the server engine Express, etc. passes the URL string to Angular’s...

PT-2026-37114

Name of the Vulnerable Software and Affected Versions Angular versions prior to 19.2.21 Angular versions prior to 20.3.19 Angular versions prior to 21.2.9 Angular versions prior to 22.0.0-next.8 Description A Server-Side Request Forgery SSRF issue exists in @angular/platform-server due to imprope...

Race Condition

@angular/platform-server, @angular/ssr and @nguniversal/common are vulnerable to Race Condition. The vulnerability is due to the platform injector being stored as a module-scoped global variable during server-side rendering, which allows concurrent requests to overwrite or access each other’s...

Race Condition

Overview @angular/platform-server is an Angular - library for using Angular in Node.js Affected versions of this package are vulnerable to Race Condition between multiple concurrent requests in the global platform injector, when using the bootstrapApplication, getPlatform, or destroyPlatform...